Browsers Take a Stand Against Kazakhstan’s Invasive Internet Surveillance

Browsers Take a Stand Against Kazakhstan’s Invasive Internet Surveillance

Yesterday, Google Chrome, Mozilla Firefox, and Apple’s Safari browsers started blocking a security certificate previously used by Kazakh ISPs to compromise their users’ security and perform dragnet surveillance. We encourage other browsers to take similar security measures. Since the fix has been implemented upstream in Chromium, it shouldn’t take long for other Chromium-based browsers, like Brave, Opera, and Microsoft’s Edge, to do the same.

What Happened, and Why Is It a Problem?

Back in July, Kazakhtelecom, Kazakhstan’s state telecommunications operator, began regularly intercepting encrypted web (HTTPS) connections. Usually, this kind of attack on encrypted HTTPS connections is detectable and leads to loud and visible browser warnings or other safeguards that prevent users from continuing. These security measures work because the certificate used is not trusted by user devices or browsers.

The two-step of Kazakh ISPs deploying an untrusted certificate, and users manually trusting that certificate allows the ISPs to read and even alter the online communication of any of their users, including sensitive user data, messages, emails, and passwords sent over the web. Research and monitoring from Censored Planet found around 40 domains that were being regularly intercepted, including Google services, Facebook services, Twitter, and VK (a Russian social media site).

The government of Kazakhstan had expressed their intention to perform dragnet surveillance like this in the past, but, following widespread backlash, it failed to act on those statements. Now, it seems the Kazakh authorities were serious about undermining the privacy of their entire country's communications — even if it meant forcing individual Internet users to manually compromise their devices’ own built-in privacy protections.

What’s Next?

Earlier this month, Kazakhstan’s National Security Committee stated that Kazakhstan had halted the program. The announcement, along with a tweet from the president of Kazakhstan, called the program a successful pilot, claiming it was mounted to detect and counteract external security threats, even though the government’s actions primarily compromised the security of Kazakhstan’s own citizens. The announcement also stated that the program may be deployed again in the future. Censored Planet’s live monitoring indicate that the system was turned off after the first week of August.

This step by Google, Mozilla, and Apple to block the particular certificate that Kazakh ISPs used for traffic interception prevents the government of Kazakhstan from resuming this invasive program, as well as setting a precedent such that browsers may take similar actions against network attacks of this nature in the future. Without strong pushback, it’s likely that Kazakhstan, or other states, might try to repeat their “pilot,” so we also encourage browser vendors, device manufacturers, and operating systems to improve the warnings and tighten the flow around manually trusting new certificates.

Kazakhstan’s actions were a drastic response to the slowly improving security of end-user devices and end-to-end communication online, but they and other countries could take even more invasive steps. Faced with just a handful of secure browsers, the government could next push their citizens to use a browser that does not currently implement this safeguard. We encourage other browsers to take the same steps and stand in solidarity against the government of Kazakhstan’s decision to compromise the Internet security of their entire population. What’s more, designers of user software should anticipate such intrusive state action in future threat models.

Related Updates

Thanks to the success of projects like Let’s Encrypt and recent UX changes in the browsers, most page-loads are now encrypted with TLS. But DNS, the system that looks up a site’s IP address when you type the site’s name into your browser, remains unprotected by encryption. Because...

EFF, ACLU, and Stanford cybersecurity scholar Riana Pfefferkorn filed a petition in November 2018 asking a California federal court to make public a ruling that apparently denied a request by the Justice Department to force Facebook to break the encryption of its Messenger application in order to facilitate...

EFF is back this year at Vegas Security Week, sometimes affectionately known as Hacker Summer Camp. Stop by our booths at BSides, Black Hat, and DEF CON to find out about the latest developments in protecting digital freedom, sign up for our action alerts and mailing list, and...

Last week, news broke of a large financial settlement for the massive 2017 Equifax data breach affecting 147 million Americans. While the direct compensation to those harmed and the fines paid are important, it’s equally important to evaluate how much this result is likely to create strong incentives to...

Certbot has a brand new website! Today we’ve launched a major update that will help Certbot’s users get started even more quickly and easily. Certbot is a free, open source software tool for enabling HTTPS on manually-administered websites, by automatically deploying Let’s Encrypt certificates. Since we introduced it in...

San Francisco—The Electronic Frontier Foundation, ACLU and Stanford cybersecurity scholar Riana Pfefferkorn asked a federal appeals court today to make public a ruling that reportedly forbade the Justice Department from forcing Facebook to break the encryption of a communications service for users.Media widely reported last fall that a...

This week the federal Government Accountability Office (GAO) issued an update to its 2016 report on the FBI’s use of face recognition. The takeaway, which they also shared during a Congressional House Oversight Committee hearing: the FBI now has access to 641 million photos—including driver’s license and...

Fresno – On Wednesday, May 22, at 9 am, the Electronic Frontier Foundation (EFF) will argue that criminal defendants have a right to review and evaluate the source code of forensic DNA analysis software programs used to create evidence against them. The case, California v. Johnson, is on appeal...

If you are one of WhatsApp’s billion-plus users, you may have read that on Monday the company announced that it had found a vulnerability. This vulnerability allowed an attacker to remotely upload malicious code onto a phone by sending packets of data that look like phone calls from a...